Privacy statement coronavirus testing

Testing for coronavirus and communicating the results
The GGDs used to test for coronavirus. Testing stopped on 18 March 2023. The GGDs do still keep your personal data in a medical file.

Who works with your personal data?
GGD GHOR Nederland manages the CoronIT IT system for the GGDs. The GGDs are responsible for your personal data if you take a coronavirus test. We use this system to use and store your personal data. We do this in accordance with the rules set out in the law. This means that we handle your personal data properly and safely. We must also tell you what data we have about you, what we do with it, and who works with it. We share your data with the following organisations:

The GGD: Local GGD departments and GGD doctors (called the GGD in this document)
GGD GHOR Nederland
The IT provider (Topicus) of CoronIT and its sub-processors

CoronIT is the IT system for the test process and communication. We keep your medical file with your test and vaccination data in this system. It lets the GGDs see whose test result it is. Normally, GGD GHOR Nederland cannot see this information, unless there is a problem that our Service Desk needs to solve. Then we will be allowed to see this data for our Service Desk work. The picture below shows where your data goes.

What happens to your personal data?
You took a coronavirus test at the GGD. The GGD keeps all your test data in your medical file. The GGD is required to keep this medical file.

Would you like to know which personal data this is? And what else we use it for? Please take a look at the section below called What else do we use your personal data for?
Have you been tested or vaccinated at the GGD or somewhere else and do you want proof of recovery or a vaccination certificate? For example, in order to travel? Then you can use the CoronaCheck app. You can get a QR code for your proof of recovery or your vaccination certificate in this app. Do you want to know more about your privacy in the CoronaCheck application? Then read the privacy statement for the CoronaCheck app.

What else do we use your personal data for?
It is important that we know how many infections there were in the Netherlands and how many tests have been done. We use your data to find this out, but in a general, anonymous way. This means that we don’t see any of your personal data in the information. Researchers might also use your data for scientific research. This is also done anonymously, and it follows the rules that apply to scientific research.

When do we send your data to other organisations?
In some situations we send data related to you to other organisations. Can people find out from this data that it is linked to you? Then we will only send it if you have given your permission. Or if we are required by law to send the data.

We make sure that the other organisations cannot figure out from the data exactly whose data it is. We cooperate with the following organisations. We have sent data to them. Or we will if they ask for it:

Statistics Netherlands (CBS). We sent the CBS data so that they could track the coronavirus pandemic.
National Institute for Public Health and the Environment (RIVM). We sent the RIVM data that the law says we had to send to them. We also sent the RIVM data for research.
Dienst Testen. We sent Dienst Testen data so that they could arrange coronavirus testing in the Netherlands properly.
The Ministry of Health, Welfare and Sport (VWS). VWS is responsible for the CoronaCheck app. If you ask to see your data via the CoronaCheck app, we send this data.

What personal data do we use?
We have recorded your personal data in your medical file. The personal data in your medical file that relates to testing is:

Your first and last name
Your address
Your date of birth
Whether you are male, female, unspecified or unknown
Your Citizen Service Number (BSN)
Your phone number
Your email address
Your symptoms
Your test tube barcode
The result of your coronavirus test
Perhaps the name of the doctor asking for the test

You log in to the coronatest website with your DigiD. This will help you make your appointment securely. It will also let us know who is making the appointment. We will not be able to see your DigiD username or password.

What laws apply to the way we use your personal data?
The General Data Protection Regulation (GDPR) states that we can only use your personal data if we have certain reasons. These are called ‘valid’ reasons. The GDPR states that these valid reasons are: ‘consent, agreement, legal obligation, vital interest, public task / public interest or legitimate interest.’

We use your data to fight an infectious disease epidemic. This is a public task or a public interest task. The GGD is also required by law to record your personal data in a medical file for these types of diseases. This is stated in the Wet op de geneeskundige behandelsovereenkomst (translated here as the Dutch Medical Treatment Contracts Act).

If you contact GGD GHOR Nederland to check your data so that you can get proof of recovery, we will record your telephone conversation. We do this to make sure any complaints are handled properly. We are allowed to record these conversations on the basis of Article 6, paragraph 1f of the GDPR.

How long do we keep your personal data?
We keep your personal data for a maximum of twenty years. This is required by the Wet op de geneeskundige behandelsovereenkomst (translated here as the Dutch Medical Treatment Contracts Act). After this time, we destroy the data or make it anonymous.

During the coronavirus test, an employee used a cotton swab to remove cells from your nose and throat. This cotton swab was sent to a laboratory to be tested. How long the laboratory keeps the cotton swab depends on the result of the test:

You don’t have coronavirus? The laboratory will destroy the cells from your test within a few days.
You do have coronavirus? Then the laboratory can keep the sample from your test for 3 months. The laboratory uses your test to see how the virus spreads. Other researchers can also use the cells from your test for scientific research. If that happens, the laboratory will anonymise your test first.

We do not collect your DNA

We will ask for your permission if we want to keep your personal data longer. The only time we wouldn’t ask you this is if we need to keep it longer because of another law.

If you called the call centre to make a testing appointment, the phone company of the call centre will keep your phone number for 11 months. This is required by the Telecommunicatiewet (translated here as the Telecom Act).

If you contact GGD GHOR Nederland to check your data, we will keep the recording of this telephone conversation for 4 weeks.

How do we protect your personal data?
We think it is important to keep your personal data safe. To do that, we make agreements with the people and organisations that process the data for us. The agreements say what they can do with your data for us.

What else do we do?

We make sure that we work with secure systems. We test this, or have it tested for us.
We make sure that employees who work with your personal data know what they can and cannot do with the data. They must keep the personal data confidential.
We make sure that we work according to a fixed procedure. We also follow the laws and regulations about personal data.

What are your rights?
These are your rights under the law:

You have the right to receive correct information about what happens with your personal data.
You have the right to see your personal data. You can get a copy of this data.
If your data is incorrect, you can ask us to correct it.
In some cases, you can ask us to delete your personal data.
In some cases, you can object to the use of your personal data.

You can contact the GGD that performed your test for all of these situations.

Do you have questions or complaints about the use of your personal data?
Do you have questions or complaints about the use of your personal data? Please contact the Data Protection Officer at the GGD that performed your test. Or the organisation that tested you. Every GGD and other organisation for coronavirus testing has a Privacy Statement. This tells you who the Officer is.

Appendix 1 lists the website addresses for all GGDs.

You can also report a complaint to GGD GHOR Nederland. You can do this by sending your complaint to the GGD GHOR Nederland’s Data Protection Officer. The email address is fg@ggdghor.nl.

What if we handle your complaint and you don’t agree with the outcome? Or with the way we handled your complaint? Then you can send a complaint to the Dutch Data Protection Authority. You can do this at this website.

Changes
We will adjust this privacy statement as necessary. For example, if we have to change who processes personal data, or which personal data we use.

We last updated this statement on 8 May, 2023.